Thousands of subscribers to Nine-owned mastheads The Sydney Morning Herald, The Age and The Australian Financial Review have had their personal information exposed online following a data breach.
The exposed data was first chanced upon by security researcher Kaspar, who goes by @[email protected] on decentralised social platform Mastodon and revealed by Crikey.
Some 16,000 subscribers are thought to have been affected in total.
A spokesperson for Nine said that while some personal data had been exposed, no credit card information had set loose in the public domain.
“We have been made aware by a security researcher that certain personal information held by a third party supplier was not protected to the level of Nine’s strict internal data protocols after an unauthorised change,” the spokesperson said.
“This included a limited number of The Sydney Morning Herald, The Age and The Australian Financial Review print subscriber records. While there has been no breach of Nine’s internal technology infrastructure, Nine treated this matter seriously and worked with the third party to resolve the issue. The customer personal information that was held by the provider was limited to name, postal address and/or email address. The data did not include credit card details or passwords. Nine is directly contacting all subscribers whose records were involved.”
Crikey said that Kaspar (no relation to the friendly ghost) posted on Mastodon that he had contacted Nine, along with Australian cybersecurity group AUSCERT and the Australian privacy commissioner, to inform them about the exposed data on March 19.
Crikey said that it was only after it contacted Nine on March 26 that the exposed data was secured.
